API discloses usernames #10
Description
Please check this page:
https://vulners.com/hackerone/H1:356047
A way to reproduce it, is to access your site trough:
https://example.com/wp-json/wp/v2/users
Even with author pages disabled, the usernames list is disclosed and accessible. A presented solution for that is to add a filter:
add_filter( 'rest_endpoints', function( $endpoints ){
if ( isset( $endpoints['/wp/v2/users'] ) ) {
unset( $endpoints['/wp/v2/users'] );
}
if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {
unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );
}
return $endpoints;
});
I've tried and it worked on my side. Can you consider to add it to your pluggin?